Date: Tuesday, December 27, 2016 @ 13:58:32 Author: eworm Revision: 284860
upgpkg: openvpn 2.4.0-1 new upstream release This requires administrative interaction for active systemd units. Changes are explained in install message and news will be posted once this package moves to [core]. Added: openvpn/trunk/0001-plugin.patch openvpn/trunk/0002-do-not-race-on-RuntimeDirectory.patch openvpn/trunk/news.md openvpn/trunk/openvpn.install Modified: openvpn/trunk/PKGBUILD Deleted: openvpn/trunk/[email protected] --------------------------------------------+ 0001-plugin.patch | 46 +++++++++++++++ 0002-do-not-race-on-RuntimeDirectory.patch | 59 +++++++++++++++++++ PKGBUILD | 81 +++++++++++++++++++-------- news.md | 17 +++++ openvpn.install | 24 ++++++++ [email protected] | 17 ----- 6 files changed, 203 insertions(+), 41 deletions(-) Added: 0001-plugin.patch =================================================================== --- 0001-plugin.patch (rev 0) +++ 0001-plugin.patch 2016-12-27 13:58:32 UTC (rev 284860) @@ -0,0 +1,46 @@ +diff --git a/configure.ac b/configure.ac +index f4073d0..5fe652e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -301,13 +301,12 @@ AC_ARG_WITH( + [with_crypto_library="openssl"] + ) + +-AC_ARG_WITH( +- [plugindir], +- [AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])], +- , +- [with_plugindir="\$(libdir)/openvpn/plugins"] +-) +- ++AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) ++if test -n "${PLUGINDIR}"; then ++ plugindir="${PLUGINDIR}" ++else ++ plugindir="\${libdir}/openvpn/plugins" ++fi + + AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host]) + case "$host" in +@@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye + AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) + AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) + +-plugindir="${with_plugindir}" + sampledir="\$(docdir)/sample" + AC_SUBST([plugindir]) + AC_SUBST([sampledir]) +diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am +index 4c18449..188834a 100644 +--- a/src/openvpn/Makefile.am ++++ b/src/openvpn/Makefile.am +@@ -27,7 +27,8 @@ AM_CFLAGS = \ + $(OPTIONAL_CRYPTO_CFLAGS) \ + $(OPTIONAL_LZO_CFLAGS) \ + $(OPTIONAL_LZ4_CFLAGS) \ +- $(OPTIONAL_PKCS11_HELPER_CFLAGS) ++ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ ++ -DPLUGIN_LIBDIR=\"${plugindir}\" + if WIN32 + # we want unicode entry point but not the macro + AM_CFLAGS += -municode -UUNICODE Added: 0002-do-not-race-on-RuntimeDirectory.patch =================================================================== --- 0002-do-not-race-on-RuntimeDirectory.patch (rev 0) +++ 0002-do-not-race-on-RuntimeDirectory.patch 2016-12-27 13:58:32 UTC (rev 284860) @@ -0,0 +1,59 @@ +From 3e8b360cca4d97bef113a25f982601d4742af896 Mon Sep 17 00:00:00 2001 +From: Christian Hesse <[email protected]> +Date: Fri, 16 Dec 2016 22:56:15 +0100 +Subject: [PATCH 1/1] do not race on RuntimeDirectory + +Different unit instances create and destroy the same RuntimeDirectory. +This leads to running instances where the status file (and possibly +more runtime data) is no longer accessible. + +So do not handle this in unit files but provide a tmpfiles.d +configuration and let systemd-tmpfiles do the work. +Nobody will (unintentionally) delete the directories and its content. +As /run is volatile we do not have to care about cleanup. + +Signed-off-by: Christian Hesse <[email protected]> +--- + distro/systemd/[email protected] | 2 -- + distro/systemd/[email protected] | 2 -- + distro/systemd/openvpn.conf | 2 ++ + 3 files changed, 2 insertions(+), 4 deletions(-) + create mode 100644 distro/systemd/openvpn.conf + +diff --git a/distro/systemd/[email protected] b/distro/systemd/[email protected] +index 5618af3..1187ee8 100644 +--- a/distro/systemd/[email protected] ++++ b/distro/systemd/[email protected] +@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + [Service] + Type=notify + PrivateTmp=true +-RuntimeDirectory=openvpn-client +-RuntimeDirectoryMode=0710 + WorkingDirectory=/etc/openvpn/client + ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +diff --git a/distro/systemd/[email protected] b/distro/systemd/[email protected] +index b9b4dba..25a6bb7 100644 +--- a/distro/systemd/[email protected] ++++ b/distro/systemd/[email protected] +@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + [Service] + Type=notify + PrivateTmp=true +-RuntimeDirectory=openvpn-server +-RuntimeDirectoryMode=0710 + WorkingDirectory=/etc/openvpn/server + ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf +new file mode 100644 +index 0000000..bb79671 +--- /dev/null ++++ b/distro/systemd/openvpn.conf +@@ -0,0 +1,2 @@ ++d /run/openvpn-client 0710 root root - ++d /run/openvpn-server 0710 root root - +-- +2.11.0 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2016-12-27 13:20:34 UTC (rev 284859) +++ PKGBUILD 2016-12-27 13:58:32 UTC (rev 284860) @@ -1,56 +1,89 @@ # $Id$ -# Maintainer: Thomas Bächler <[email protected]> +# Maintainer: Christian Hesse <[email protected]> pkgname=openvpn -pkgver=2.3.14 +pkgver=2.4.0 pkgrel=1 -pkgdesc="An easy-to-use, robust, and highly configurable VPN (Virtual Private Network)" -arch=(i686 x86_64) -url="http://openvpn.net/index.php/open-source.html"; +pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' +arch=('i686' 'x86_64') +url='http://openvpn.net/index.php/open-source.html' depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper') optdepends=('easy-rsa: easy CA and certificate handling') makedepends=('systemd') license=('custom') -source=(https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz{,.asc} - [email protected]) -sha256sums=('f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98' +install=openvpn.install +validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3' # Samuli Seppänen <[email protected]> + '7ACD56B74144925C6214329757DB9DAB613B8DA1') # David Sommerseth (OpenVPN Technologies, Inc) <[email protected]> +source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc} + '0001-plugin.patch' + '0002-do-not-race-on-RuntimeDirectory.patch') +sha256sums=('6f23ba49a1dbeb658f49c7ae17d9ea979de6d92c7357de3d55cd4525e1b2f87e' 'SKIP' - '28840ef1e4c7c80da1d9de3224fad8e8540e0cf58326d65227cf3ce7ab867990') -validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3') # Samuli Seppänen + 'b8254067b4ef5d157d87267a76938d86f101972303c7ff20131cc9f28659a30c' + 'a87b081f998db99190e8b9e185cd7aade5bd6dfb5c03777c82b75d28cd3b375c') +prepare() { + cd "${srcdir}"/${pkgname}-${pkgver} + + # plugin path + patch -Np1 < "${srcdir}"/0001-plugin.patch + + # do not race on RuntimeDirectory + patch -Np1 < "${srcdir}"/0002-do-not-race-on-RuntimeDirectory.patch + + # regenerate configure script + autoreconf -fi +} + build() { - cd "${srcdir}"/$pkgname-$pkgver - CFLAGS="$CFLAGS -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn\\\"" ./configure \ + cd "${srcdir}"/${pkgname}-${pkgver} + + ./configure \ --prefix=/usr \ --sbindir=/usr/bin \ - --enable-password-save \ - --mandir=/usr/share/man \ --enable-iproute2 \ + --enable-pkcs11 \ + --enable-plugins \ --enable-systemd \ - --enable-pkcs11 \ --enable-x509-alt-username make } +check() { + cd "${srcdir}"/${pkgname}-${pkgver} + + make check +} + package() { - cd "${srcdir}"/$pkgname-$pkgver + cd "${srcdir}"/${pkgname}-${pkgver} # Install openvpn make DESTDIR="${pkgdir}" install - install -d -m755 "${pkgdir}"/etc/openvpn + # Create empty configuration directories + install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server} + # Install examples - install -d -m755 "${pkgdir}"/usr/share/openvpn + install -d -m0755 "${pkgdir}"/usr/share/openvpn cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples # Install license - install -d -m755 "${pkgdir}"/usr/share/licenses/${pkgname}/ - ln -sf /usr/share/doc/${pkgname}/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/${pkgname}/ + install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ + ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ # Install contrib - install -d -m755 "${pkgdir}"/usr/share/openvpn/contrib - cp -r contrib "${pkgdir}"/usr/share/openvpn + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type "${FILE}")" in + "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + esac + done - # Install systemd service - install -D -m644 "${srcdir}"/[email protected] "${pkgdir}"/usr/lib/systemd/system/[email protected] + # Install systemd files + install -d -m0755 "${pkgdir}"/usr/lib/systemd/system/ + install -m0644 distro/systemd/openvpn-{client,server}@.service "${pkgdir}"/usr/lib/systemd/system/ + install -D -m0644 distro/systemd/openvpn.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf + install -d -m0710 "${pkgdir}"/run/openvpn-{client,server} } + Added: news.md =================================================================== --- news.md (rev 0) +++ news.md 2016-12-27 13:58:32 UTC (rev 284860) @@ -0,0 +1,17 @@ +OpenVPN 2.4.0 update requires administrative interaction +======================================================== + +The upgrade to openvpn 2.4.0 makes changes that are incompatible with +previous configurations. Take **special care** if you depend on VPN +connectivity for **remote access**! Administrative interaction is required: + +* Configuration is expected in sub directories now. Move your files + from `/etc/openvpn/` to `/etc/openvpn/server/` or `/etc/openvpn/client/`. +* The plugin lookup path changed, remove extra `plugins/` from relative + paths. +* The systemd unit `[email protected]` was replaced with + `[email protected]` and `[email protected]`. Restart and + reenable accordingly. + +This does not affect the functionality of `networkmanager`, `connman` +or `qopenvpn`. Added: openvpn.install =================================================================== --- openvpn.install (rev 0) +++ openvpn.install 2016-12-27 13:58:32 UTC (rev 284860) @@ -0,0 +1,24 @@ +#!/bin/sh + +post_upgrade() { + # return if old package version greater 2.4... + (( $(vercmp $2 '2.4') > 0 )) && return + + # upgrade from pre-2.4 version... + echo "This upgrade from openvpn $2 to openvpn $1 made changes that require" + echo "administrative interaction:" + echo " -> Configuration is expected in sub directories now. Move your files" + echo " from /etc/openvpn/ to /etc/openvpn/server/ or /etc/openvpn/client/." + echo " -> The plugin lookup path changed, remove extra 'plugins/' from relative paths." + echo " -> The systemd unit [email protected] was replaced with [email protected]" + echo " and [email protected]. Restart and reenable accordingly." + + local UNITS="$(systemctl list-units --quiet --no-pager --no-legend --plain | grep '^openvpn@' | cut -d' ' -f1)" + if (( ${#UNITS} )); then + echo "This is a (possibly incomplete) list of units that need to be acted on:" + for UNIT in ${UNITS}; do + echo " -> ${UNIT}" + done + fi +} + Deleted: [email protected] =================================================================== --- [email protected] 2016-12-27 13:20:34 UTC (rev 284859) +++ [email protected] 2016-12-27 13:58:32 UTC (rev 284860) @@ -1,17 +0,0 @@ -[Unit] -Description=OpenVPN connection to %I -After=syslog.target network.target network-online.target -Documentation=man:openvpn(8) - -[Service] -PrivateTmp=true -Type=forking -ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config %i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2 -PIDFile=/run/openvpn@%i.pid -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH -LimitNPROC=10 -DeviceAllow=/dev/null rw -DeviceAllow=/dev/net/tun rw - -[Install] -WantedBy=multi-user.target
